From 53fc77778a3b34ccf49046286da95150cabf351b Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Sat, 21 Aug 2021 02:44:32 -0600
Subject: [PATCH] Prevent user from impersonating self

---
 modules/backend/models/User.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/backend/models/User.php b/modules/backend/models/User.php
index b418a38d5..7e49278c4 100644
--- a/modules/backend/models/User.php
+++ b/modules/backend/models/User.php
@@ -243,14 +243,20 @@ class User extends UserBase
     /**
      * Check if this user can be impersonated by the provided impersonator
      * Super users cannot be impersonated and all users cannot be impersonated unless there is an impersonator
-     * present and the impersonator has access to `backend.impersonate_users`.
+     * present and the impersonator has access to `backend.impersonate_users`, and the impersonator is not the
+     * user being impersonated
      *
      * @param static|false $impersonator The user attempting to impersonate this user, false when not available
      * @return boolean
      */
     public function canBeImpersonated($impersonator = false)
     {
-        if ($this->isSuperUser() || !$impersonator || !$impersonator->hasAccess('backend.impersonate_users')) {
+        if (
+            $this->isSuperUser() ||
+            !$impersonator ||
+            !$impersonator->hasAccess('backend.impersonate_users') ||
+            $impersonator === $this
+        ) {
             return false;
         }
         return true;